[j-nsp] SRX: rate-limiting source NAT sources
Alex Arseniev
alex.arseniev at gmail.com
Tue Oct 30 04:03:23 EDT 2012
You can limit flows per individual source IP (not NAT ports) using UTM
https://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/configuration-statement/security-edit-limit.html
You'll need a UTM license.
And if you are doing NAT on branch SRX, UTM is supported only on high-memory
branch SRX boxes.
Thanks
Alex
----- Original Message -----
From: "Jonathan Lassoff" <jof at thejof.com>
To: <juniper-nsp at puck.nether.net>
Sent: Monday, October 29, 2012 9:55 PM
Subject: [j-nsp] SRX: rate-limiting source NAT sources
> So, I'm working on tuning an SRX deployment and am wondering if
> something is possible.
>
> This deployment is doing a lot of source NAT for a wide variety of
> endpoints as they egress out to the Internet. Pretty vanilla
> configuration.
> Specific sources are mapped via NAT rules to specific egress IPs (for
> IP filtering in some places, outside of the SRXes in question).
>
> And once in a while, some endpoint will have a legitimate need to open
> up *many* connections (and then NAT states) that pass over this SRX
> deployment.
> Unfortunately, the rate of connection establishment relative to the
> application timeouts means that these heavy users can use up all of
> the ephemeral ports, blocking new flows from becoming established.
>
> We've been playing a bit of whack-a-mole, assigning more IP space to
> the various source NAT pools, but would like to find a more proper
> solution.
>
>
> So, my question is this: is there any mechanism anyone knows of to
> rate-limit or block-past-a-threshold a "source NAT" source if it
> starts making too many connections?
> I don't see anything obvious in the SRX documentation, so I figured
> I'd ask here for pointers.
>
> Right now, it's way to easy for one bad actor (malicious or
> benevolent) to max out a source NAT pool.
>
> Cheers,
> jof
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list